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AMENDMENTS TO THE CLAIMS 

Listing of Claims 

1 . (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps of: 

- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, redirecting the 
packet to an application gateway part and processing the packet at the application gateway part 
according to a set of processing rules based on obedience to said certain protocol; 

wherein the packet processor part is a kernel mode process running in a computer device and the 
application gateway part is a user mode process running in a computer device. 

2. (Original) A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the application gateway part: 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies the application gateway part as the destination of the 

packet, 

- indicating from the packet processor part to the application gateway part the original 
value of the destination information field found in the packet at the moment of 
intercepting the packet at the packet processor part and 

- using the indicated original value of the destination information field at the application 
gateway part in processing the packet. 
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3. (Original) A method according to claim 2, comprising additionally the steps of: 

- replacing an original value of a certain source information field within the packet with a 
replacement value that identifies the packet processor part as the source of the packet, 

- indicating fi-om the packet processor part to the application gateway part the original value of the 
source information field found in the packet at the moment of intercepting the packet at the packet 
processor part and 

- using the indicated original value of the source information field at the application gateway part in 
processing the packet. 

4. (Original) A method according to claim 2 or 3, wherein steps of indicatmg the original values of 
certain fields comprise transmitting the original values of such fields from the packet processor part 
to the application gateway part together with the redirected packet, said certain fields including at 
least one of a source field and a destination field. 

5. (Original) A method according to claim 4, comprising the steps of: 

- at the packet processor part: 

- setting the value of a certain bit in the packet to indicate the presence of urgent 
information within the packet, 

- inserting into a pointer field in the packet a pointer value that points at the end of urgent 
information within the packet, and 

- inserting the original values of said certain fields as urgent information into the packet 
immediately before the location pointed at by the pointer value; and 

- at the application gateway part: 

- reading the original values of said certain fields from the location in the packet pointed at 
by the pointer value. 
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6. (Original) A method according to claim 4, comprising the steps of: 

- at the packet processor part: 

- setting the value of an options field in the packet to indicate the presence of optional 
information within the packet, and 

- inserting the original values of said certain fields into the packet as optional 
information; and 

- at the application gateway part: 

- reading the original values of said certain fields from the packet as optional information. 

7. (Previously presented) A method according to claim 2 or 3, wherein steps of indicating the 
original values of certain fields comprise transmitting the original values of such fields from the 
packet processor part to the application gateway part separately from the redirected packet, said 
certain fields including at least one of a source field and a destination field. 

8. (Original) A method according to claim 7, comprising the steps of: 

- at the packet processor part: 

- composing a messaging packet that conforms to a messaging protocol, and inserting the 
original values of said certain fields into the messaging packet together with the 
replacement values, and 

- transmitting the messaging packet to the application gateway part; and 

- at the application gateway part: 

- receiving the messaging packet, and 

- associating the original values of said certain fields read from the messaging packet with 
the replacement values foxmd in the redirected packet. 

9. (Original) A method according to claim 8, wherein the messaging packet is a User Datagram 
Protocol packet. 
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10. (Original) A method according to claim 8, wherein the step of transmitting the messaging 
packet to the application gateway part is performed more than once in order to transmit several 
redundant copies of the messaging packet to the application gateway part. 

1 1 . (Original) A method according to claim 7, wherein the packet processor part transmits the 
original values of said certain fields from the packet processor part to the application gateway part 
spontaneously. 

12. (Original) A method according to claim 7, comprising the step of transmitting from the 
application gateway part to the packet processor part a query for the original values of certain fields, 
so that the packet processor part only transmits the original values of said certain fields to the 
application gateway part as a response to said query. 

13. (Original) A method according to claim 7, wherein the packet processor part transmits the 
original values of said certain fields from the packet processor part to the application gateway part 
spontaneously, and if the application gateway part has not received such spontaneously transmitted 
original values within a certain time limit after the reception of a packet for which such original 
values would be needed, the application gateway part transmits to the packet processor part a query 
for the original values of said certain fields, so that the packet processor part also transmits the 
original values of said certain fields to the application gateway part as a response to said query. 

14. (Original) A method according to claim 7, comprising the step of transmitting the original 
values of said certain fields from the packet processor part to an application gateway part running in 
the same computer device with the packet processor part through a commimications routine that is 
intemal to that computer device and relies on fimctions defined in an operating system of that 
computer device. 

15. (Original) A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the application gateway part: 
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- prepending a header to the packet at the packet processor part, the prepended header 
containing a value that identifies the application gateway part as the destination of the 
packet, 

- stripping the prepended header from the packet at the application gateway part and 

- using the original value of a destination information field in the packet at the application 
gateway part in processing the packet. 

16. (Original) A method according to claim 15, wherein the prepended header also contains a value 
that identifies the packet processor part as the source of the packet. 

17. (Original) A method according to claim 1, comprising the steps of: 

- at the packet processor part: 

- enveloping an original packet to be redirected from the packet processor part to the 
application gateway part into an enveloping packet; and 

- at the application gateway part: 

- extracting the original packet from the enveloping packet. 

18. (Original) A method according to claim 17, wherein the enveloping packet is a packet 
according to the Socks protocol. 

19. (Original) A method according to claim 1, wherein the step of redirecting the packet to an 
application gateway part involves only transferring the packet to a logically separate entity within 
the same physical device where the packet processor part resides. 

20. (Original) A method according to claim 1, wherein the step of redirecting the packet to an 
application gateway part involves transferring the packet to a device that is physically separate from 
the device where the packet processor part resides. 
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21. (Previously presented) A method according to claim 1, comprising, after the step of processing 
the packet at the application gateway part, the further steps of: 

- returning the processed packet from the application gateway part to the packet processor part and 

- forwarding such a returned packet from the packet processor part towards an original destination 
that the packet had at the moment of it becoming intercepted. 

22. (Original) A method according to claim 21, comprising the steps of: 

- composing at the packet processor part a mapping function that associates a packet redirected to 
the application gateway part with an original value of a certain destination information field that 
said packet had at the moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said mapping function to restore the original value of the destination 
information field in that processed packet. 

23. (Original) A method according to claim 22, wherein the mapping function also associates a 
packet redirected to the application gateway part with an original value of a certain source 
information field that said packet had at the moment of it becoming intercepted, and as a response to 
receiving a processed packet from the application gateway part to the packet processor part, said 
mapping function is also used to restore the original value of the source information field in that 
processed packet. 

24. (Original) A method according to claim 21, comprising the steps of: 

- transmitting from the application gateway part to the packet processor part information that 
associates a processed packet retumed from the application gateway part to the packet processor 
part with an original value of a certain destination information field that said processed packet had 
at the moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said transmitted information to restore the original value of the destination 
information field in that processed packet. 
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25. (Original) A method according to claim 24, comprising the steps of: 

- transmitting from the application gateway part to the packet processor part information that 
associates a processed packet returned from the application gateway part to the packet processor 
part with an original value of a certain source information field that said processed packet had at the 

moment of it becoming intercepted and 

- as a response to receiving a processed packet from the application gateway part to the packet 
processor part, using said transmitted information to restore the original value of the source 
information field in that processed packet. 

26. (Previously presented) A method according to claim 1, comprising, after the step of processing 
the packet at the application gateway part, the further step of: 

- forwarding such a processed packet fi-om the application gateway part towards an original 
destination that the packet had at the moment of it becoming intercepted, without circulating the 
forwarded packet through the packet processor part. 

27. (Original) A method according to claim 26, comprising the steps of: 

- transmitting fi-om the packet processor part to the application gateway part information that 
associates each packet redirected fi-om the packet processor part to the application gateway part with 
an original value of a certain destination information field that the redirected packet had at the 
moment of it becoming intercepted and 

- after a packet has been processed at the application gateway part, using said transmitted 
information to restore the original value of the destination information field in that packet. 

28. (Original) A method according to claim 27, comprising the steps of: 

- transmitting from the packet processor part to the application gateway part information that 
associates each packet redirected from the packet processor part to the application gateway part with 
an original value of a certain source information field that the redirected packet had at the moment 
of it becoming intercepted and 
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- after a packet has been processed at the application gateway part, using said transmitted 
information to restore the original value of the source information field in that packet. 

29. (Original) A method according to claim 1, wherein packets are handled in packet streams, all 
packets of an individual packet stream having the same values in certain source and destination 
information fields of each packet, and wherein if the first intercepted packet of a certain packet 
stream is found to contain digital data that pertains to said certain protocol, that packet and all 
subsequent packets belonging to the same packet stream are redirected to the application gateway 

\ part and processed at the application gateway part according to the set of processing rules based on 
obedience to said certain protocol. 

30. (Original) A method according to claim 29, comprising the steps of: 

- within the first packet and all subsequent packets of a certain packet stream that is found to contain 
digital data that pertains to said certain protocol, replacing an original value of a certain destination 
information field with a replacement value that identifies the application gateway part as the 
destination of the packets, thus enabling redirecting to the application gateway part, 

- indicating from the packet processor part to the application gateway part the original value of the 
destination information field found in the first redirected packet of a packet stream at the moment of 
intercepting the packet at the packet processor part and 

- using the indicated original value of the destination information field at the application gateway 
part in processing the packets of the redirected packet stream. 

31. (Original) A method according to claim 30, comprising the steps of: 

- within the first packet and all subsequent packets of a certain packet stream that is found to contain 
digital data that pertains to said certain protocol, replacing also an original value of a certain source 
information field with a replacement value that identifies the packet processor part as the source of 
the packets, 
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- indicating from the packet processor part to the appHcation gateway part the original value of the 
source information field found in the first redirected packet of a packet stream at the moment of 
intercepting the packet at the packet processor part and 

- using the indicated original value of the source information field at the application gateway part in 
processing the packets of the redirected packet stream. 

32. (Original) A method according to claim 30 or 31, wherein the step of indicating from the packet 
processor part to the application gateway part the original values of certain information fields 
comprises at least one repetition in order to transmit redundant indications from the packet 
processor part to the application gateway part. 

33. (Original) A method according to claim 29, wherein the packets of an individual packet stream 
belong to an individual TCP cormection. 

34. (Previously presented) A method according to claim 1, comprising, between the steps of 
redirecting the packet to the application gateway part and processing the packet at the application 
gateway part, a step of removing from the redirected packet any traces of it having been redirected, 
so that the application gateway part processes the packet as if it had received the packet for 
processing immediately after the packet was intercepted. 

35. (Previously presented) A method according to claim 34, comprising, after the step of processing 
the packet at the application gateway part, the steps of: 

- re-inserting into the processed packet the redirection information that was removed from the 
packet before processing the packet at the application gateway part, so that after the re-inserting the 
packet contains values that identify the application gateway part as the source and the packet 
processor part as the destination of the packet, 

- returning the processed packet from the application gateway part to the packet processor part and 
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- forwarding such a returned packet from the packet processor part towards an original destination 
that the packet had at the moment of it becoming intercepted. 

36. (Original) A method according to claim 1, comprising the step of: 

- after a certain packet has been redirected from the packet processor part to the application gateway 
part, dynamically establishing a new instruction for the packet processor part regarding the 
redirecting of subsequently arriving packets that have a certain relationship to the packet that was 
redirected from the packet processor part to the application gateway part. 

37. (Original) A method according to claim 36, comprising the steps of: 

- detecting at the application gateway part that a packet that was redirected from the packet 
processor part to the application gateway part contains data that pertains to a certain control charmel 
defined in a protocol that also defines a data channel associated with said control channel, 

- establishing a new instruction for the packet processor part to redirect to the application gateway 
part subsequently arriving packets that contain data that pertains to said data channel, and 

- communicating the established new instruction from the application gateway part to the packet 
processor part. 

38. (Original) A method according to claim 36, comprising the steps of: 

- detecting that a packet that was redirected from the packet processor part to the application 
gateway part is associated with a certain first port number and contains data that pertains to a certain 
protocol that defines that also a certain second port number should be reserved to said certain 
protocol, and 

- establishing a new instruction for the packet processor part to redirect to the application gateway 
part subsequently arriving packets that are associated with said second port number. 

39. (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps of: 
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- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not foimd to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies an application gateway part as the destination of the 

packet, and redirecting the packet to the application gateway part, 

- indicating from the packet processor part to the application gateway part the original value 
of the destination information field found in the packet at the moment of intercepting the packet at 
the packet processor part and 

- using the indicated original value the destination information field at the application 
gateway part in processing the packet according to a set of processing rules based on 
obedience to said certain protocol. 

40. (Original) A method according to claim 39, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain protocol, replacing also an 
original value of a certain source information field within the packet with a replacement value that 
identifies the packet processing part as the destination of the packet before redirecting the packet to 
the application gateway part, 

- indicating from the packet processor part to the application gateway part the original value of the 
source information field found in the packet at the moment of intercepting the packet at the packet 
processor part and 

- using the indicated original value the source information field at the application gateway part in 
processing the packet according to a set of processing rules based on obedience to said certain 
protocol. 
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41. (Original) A method for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising the steps of: 

- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether the packet 
contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- prepending a header to the packet at the packet processor part, the prepended header 
containing a value that identifies an application gateway part as the destination of the 
packet, and redirecting the packet to the application gateway part, 

- stripping the prepended header from the packet at the application gateway part and 

- using the original value of the destination information field in the packet at the 
application gateway part in processing the packet according to a set of processing rules 
based on obedience to said certain protocol. 

42. (Original) A method according to claim 41, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain protocol, inserting into the 
prepended header also a value that identifies the packet processor part as the source of the packet 
before redirecting the packet to the application gateway part, and 

- using the original value of the source information field in the packet at the application gateway 
part in processing the packet according to a set of processing rules based on obedience to said 
certain protocol. 

43. (Original) A method for handling digital data packets at a packet processing entity located at a 
logical borderline that separates an untrusted packet-switched information network from a protected 
domain, comprising the steps of: 
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- intercepting a packet when the packet is in transit between the untrusted packet-switched 
information network and the protected domain, 

- examining the packet in order to determine, whether the packet contains digital data that pertains 
to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 

processing the packet at the packet processing entity, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within the packet 
with a replacement value that identifies an application gateway part as the destination of the 

packet, 

- redirecting the packet to the application gateway part for processing according to a set of 
processing rules based on obedience to said certain protocol, and 

- indicating to the application gateway part the original value of the destination 
information field found in the packet at the moment of intercepting the packet at the 
packet filtering entity. 

44. (Original) A method according to claim 43, additionally comprising the steps of: 

- if the packet is foxmd to contain digital data that pertains to said certain protocol, replacing an 
original value of a certain source information field within the packet with a replacement value that 
identifies the packet processing entity as the source of the packet before redirecting the packet to the 
application gateway part, and 

- indicating to the application gateway part also the original value of the source information field 
found in the packet at the moment of intercepting the packet at the packet processing entity. 

45. (Original) A method according to claim 43, additionally comprising the steps of: 

- receiving a packet from the application gateway part after processing according to a set of 
processing rules based on obedience to said certain protocol. 
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- restoring the destination information field within the packet to contain the original value that was 
previously replaced with a replacement value that identified the application gateway part as the 
destination of the packet, and 

- releasing the packet towards a destination that is identified by the original value. 

46. (Original) A method according to claim 45, additionally comprising the step of restoring a 
source information field within the packet that was received fi-om the application gateway part to 
contain an original value that was previously replaced with a replacement value that identified the 
packet processor part as the source of the packet. 

47. (Original) A method for handling digital data packets at a packet processing entity located at a 
logical borderline that separates an untrusted packet-switched information network firom a protected 
domain, comprising the steps of: 

- intercepting a packet when the packet is in transit between the untrusted packet-switched 
information network and the protected domain, 

- examming the packet in order to determine, whether the packet contains digital data that pertains 
to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain protocol, 
processing the packet at the packet processing entity, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- prepending a header to the packet, the prepended header containing a value that identifies 
an application gateway part as the destination of the packet, and 

- redirecting the packet to the application gateway part for processing according to a set of 
processing rules based on obedience to said certain protocol. 

48. (Original) A method according to claim 47, additionally comprising the step of: 

- if the packet is found to contain digital data that pertains to said certain protocol, 
inserting into the prepended header also a value that identifies the packet processing 
entity as the source of the packet before redirecting the packet to the application gateway 
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part. 

49. (Original) A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data that pertains to 
a certain protocol, involves handling the packet according to a set of packet filtering rules. 

50. (Original) A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data that pertains to 
a certain protocol, involves checking, whether the packet belongs to a connection or flow all packets 
of which should be redirected to the application gateway part. 

51. (Original) A method for handling digital data packets at an application gateway entity located at 
a logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising the steps of: 

- receiving an intercepted and redirected packet from a packet processor part that intercepts packets 
when they are in transit between the untrusted packet-switched information network and the 
protected domain, 

- receiving firom the packet processor part an original value of a certain destination information field 
found in the packet at the moment of intercepting the packet at the packet processor part, and 

- processing the packet according to a set of processing rules that are based on obedience to said 
certain protocol and take also the original value of the destination information field into account. 

52. (Original) A method according to claim 51, additionally comprising the steps of: 

- receiving from the packet processor part an original value of a certain source information field 
found in the packet at the moment of intercepting the packet at the packet processor part, and 

- processing the packet according to a set of processing rules that are based on obedience to said 
certain protocol and take also the original value of the source information field into account. 
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53. (Original) A system for handling digital data packets at a logical borderline that separates an 
untrusted packet-switched information network from a protected domain, comprising: 

- a packet processor part that is arranged to intercept packets when they are in transit between the 
untrusted packet-switched information network and the protected domain and to examine the 
packets in order to determine, whether the packets contain digital data that pertains to a certain 
protocol, 

- an application gateway part and a communications connection between the packet processor part 
and the application gateway part, 

- at the packet processor part, packet processing means that are arranged to process such packets 
that are not found to contain digital data that would pertain to said certain protocol, 

- at the packet processor part, redirecting means that are arranged to redirect to the application 
gateway part such packets that are found to contain digital data that pertains to said certain protocol, 
and 

- at the application gateway part, application gateway processing means that are arranged to process 
such packets according to a set of processing rules based on obedience to said certain protocol that 
are redirected from the packet processor part to the application gateway part; of which the packet 
processor part is arranged to run as a kemel mode process in a computer device and the application 
gateway part is arranged to run as a user mode process in a computer device, 

54. (Original) A system according to claim 53, comprising: 

- at the packet processor part, means for replacing an original value of a certain destination 
information field within a packet with a replacement value that identifies the application gateway 
part as the destination of the packet, 

- means for indicating from the packet processor part to the application gateway part the original 
value of the destination information field found in the packet at the moment of intercepting the 

packet at the packet processor part and 

- at the application gateway part, means for using the indicated original value of the destination 
information field at the application gateway part in processing the packet. 
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55. (Original) A system according to claim 54, additionally comprising: 

- at the packet processor part, means for replacing an original value of a certain source information 
field within a packet with a replacement value that identifies the packet processor part as the source 
of the packet, 

- means for indicating from the packet processor part to the application gateway part the original 
value of the source information field found in the packet at the moment of intercepting the packet at 
the packet processor part and 

- at the application gateway part, means for using the indicated original value of the source 
information field at the application gateway part in processing the packet. 

56. (Original) A system according to claim 53, comprising: 

- at the packet processor part, means for prepending a header to a packet, the prepended header 
containing a value that identifies the application gateway part as the destination of the packet, 

- at the application gateway part, means for stripping a prepended header from a packet and 

- at the application gateway part, means for using the original value of the destination information 
field in the packet in processing the packet. 

57. (Original) A system according to claim 56, additionally comprising: 

- at the packet processor part, means for inserting into the prepended header also a value that 
identifies the packet processor part as the source of the packet, and 

- at the application gateway part, means for using the original value of the source information field 
in the packet in processing the packet. 

58. (Original) A system according to claim 53, comprising a single computer device arranged to 
run the packet processor part as a kernel mode process and the application gateway part as a user 
mode process. 
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59. (Original) A system according to claim 53, comprising a first computer device arranged to run 
the packet processor part as a kernel mode process and a second computer device, separately from 
said first computer device, arranged to run the application gateway part as a user mode process. 

60. (Original) A system according to claim 59, wherein the second computer is arranged to run 
several application gateway parts as simulteneously or alternately active user mode processes. 

61. (Original) A system according to claim 59, comprising several second computer devices, each 
of which has a communications connection with the first computer device and each of which is 
arranged to run at least one application gateway part as a user mode process. 

62. (Original) A packet processing device for handling digital data packets at a logical borderline 
that separates an untrusted packet-switched information network from a protected domain, 
comprising: 

- packet intercepting means for intercepting packets when they are in transit between the untrusted 
packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain digital 
data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data that 
would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that pertains to said 
certain protocol, an original value of a certain destination information field with a replacement value 
that identifies an application gateway device as the destination of such packets, 

- redirecting means for redirecting packets to the application gateway device for processing 
according to a set of processing rules based on obedience to said certain protocol, and 

- signalling means for indicating to the application gateway part the original value of the destination 
information field found in packets at the moment of intercepting the packets at the packet filtering 
device. 
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63. (Original) A packet processing device according to claim 62, wherein: 

- the replacing means are also adapted to replace, in packets that are found to contain digital data 
that pertains to said certain protocol, an original value of a certain source information field with a 
replacement value that identifies the packet processing device as the source of such packets, and 

- the signalling means are also adapted to indicate to the application gateway part the original value 
of the source information field foimd in packets at the moment of intercepting the packets at the 
packet filtering device. 

64. (Original) A packet processing device for handling digital data packets at a logical borderline 
that separates an untrusted packet-switched information network from a protected domain, 
comprising: 

- packet intercepting means for intercepting packets when they are in transit between the untrusted 
packet-sv^tched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain digital 
data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not foxmd to contain digital data that 
would pertain to said certain protocol, 

- header adding means for prepending, to packets that are found to contain digital data that pertains 
to said certain protocol, a header containing a value that identifies an application gateway device as 
the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway device for processing 
according to a set of processing rules based on obedience to said certain protocol. 

65. (Original) A packet processing device according to claim 64, wherein: 

- the header adding means are adapted to insert into the header also a value that identifies the packet 
processing device as the source of packets that are found to contain digital data that pertains to said 
certain protocol. 
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66. (Original) An application gateway device for handling digital data packets at a logical 
borderline that separates an untrusted packet-switched information network from a protected 
domain, comprising: 

- means for receiving intercepted and redirected packets from a packet processor device that 
intercepts packets when they are in transit between the untrusted packet-switched information 

network and the protected domain, 

- means for receiving from the packet processor device an original value of a certain destination 
information field found in packets at the moment of intercepting the packets at the packet processor 
part, and 

- means for processing packets according to a set of processing rules that are based on obedience to 
said certain protocol and take also the original value of the destination information fields into 
account. 

67. (Original) An application gateway device according to claim 66, additionally comprising means 
for receiving from the packet processor device an original value of a certain source information field 
found in packets at the moment of intercepting the packets at the packet processor part, so that the 
means for processing packets are adapted to process packets according to a set of processing rules 
that are based on obedience to said certain protocol and take also the original values of the source 
and destination information fields into account. 

68. (Original) A software program product for handling digital data packets at a logical borderline 
that separates an untrusted packet-switched information network from a protected domain, 
comprising: 

- a packet processor program that is arranged to intercept packets when they are in transit between 
the untrusted packet-switched information network and the protected domain and to examine the 
packets in order to determine, whether the packets contain digital data that pertains to a certain 
protocol, 

- an application gateway program arranged to communicate with the packet processor program, 
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- at the disposal of the packet processor program, packet processing means that are arranged to 
process such packets that are not found to contain digital data that would pertain to said certain 
protocol, 

- at the disposal of the packet processor program, redirecting means that are arranged to redirect to 
the application gateway program such packets that are found to contain digital data that pertains to 

said certain protocol, and 

- at the disposal of the application gateway program, application gateway processing means that are 
arranged to process such packets according to a set of processing rules based on obedience to said 
certain protocol that are redirected from the packet processor program to the application gateway 
program; 

of which the packet processor program is arranged to run as a kernel mode process in a computer 
device and the application gateway program is arranged to run as a user mode process in a computer 
device. 

69. (Original) A packet processor software program product for handling digital data packets at a 
logical borderline that separates an untrusted packet-switched information network from a protected 
domain, comprising: 

- packet intercepting means for intercepting packets when they are in transit between the untrusted 
packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain digital 
data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data that 
would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that pertains to said 
certain protocol, an original value of a certain destination information field with a replacement value 
that identifies an application gateway program as the destination of such packets, 

- redirecting means for redirecting packets to the application gateway program for processing 
according to a set of processing rules based on obedience to said certain protocol, and 
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- signalling means for indicating to the application gateway program the original value of the 
destination information field found in packets at the moment of intercepting the packets at the 
packet fiher program. 

70. (Original) A packet processor software program product according to claim 69, wherein: 

- the replacing means are also adapted to replace, in packets that are found to contain digital data 
that pertains to said certain protocol, an original value of a certain source information field with a 
replacement value that identifies the packet processor program as the source of such packets, and 

- the signalling means are also adapted to indicating to the application gateway program the original 
value of the source information field found in packets at the moment of intercepting the packets at 
the packet fiher program. 

71. (Original) A packet processor software program product for handling digital data packets at a 
logical borderline that separates an untrusted packet-switched information network fi-om a protected 
domain, comprising: 

- packet intercepting means for intercepting packets when they are in transit between the untrusted 
packet-switched information network and the protected domain, 

- packet examining means for examining packets in order to determine, whether they contain digital 
data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain digital data that 
would pertain to said certain protocol, 

- header adding means for prepending, to packets that are foxmd to contain digital data that pertains 
to said certain protocol, a header containing a value that identifies an application gateway program 
as the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway program for processing 
according to a set of processing rules based on obedience to said certain protocol. 

72. (Original) A packet processor software program product according to claim 71, wherein the 
header adding means are adapted to insert, to the header that is prepended to packets that are found 



23 



Application No. 1 0/020,299 Docket No.: 35997-2 1 5657 

Amendment dated 

After Final Office Action of March 28, 2006 

to contain digital data that pertains to said certain protocol, a value that identifies the packet 
processor program as the source of such packets. 

73. (Original) An application gateway software program product for handling digital data packets at 
a logical borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising: 

- means for receiving intercepted and redirected packets from a packet processor program that 
intercepts packets when they are in transit between the untrusted packet-switched information 
network and the protected domain, 

- means for receiving from the packet processor program an original value of a certain destination 
information field found in packets at the moment of intercepting the packets at the packet processor 
program, and 

- means for processing packets according to a set of processing rules that are based on obedience to 
said certain protocol and take also the original value of the destination information field into 
account. 

74. (Original) An application gateway software program product according to claim 73, 
additionally comprising means for receiving fi"om the packet processor program an original value of 
a certain source information field foimd in packets at the moment of intercepting the packets at the 
packet processor program, so that the means for processing packets are adapted to process packets 
according to a set of processing rules that are based on obedience to said certain protocol and take 
also the original values of the source and destination information fields into account. 
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